fixing pundit policies on product shoppings controller (#2807)

Co-authored-by: Sri Harsha <sriharsha.poosa@gmail.com>
health-connector · Oct 29, 2024 · 06fb282 · 06fb282
1 parent 0b3c825
commit 06fb282
Show file tree

Hide file tree

Showing 3 changed files with 29 additions and 8 deletions.
diff --git a/app/controllers/insured/product_shoppings_controller.rb b/app/controllers/insured/product_shoppings_controller.rb
@@ -8,6 +8,7 @@ class ProductShoppingsController < ApplicationController
 
     # rubocop:disable Metrics/CyclomaticComplexity
     def continuous_show
+      authorize @hbx_enrollment
       # TODO: Use permit params
       attr = strong_params.to_h.deep_symbolize_keys
       @context = Organizers::FetchProductsForShoppingEnrollment.call(health: attr[:health], dental: attr[:dental], cart: attr[:cart],
@@ -45,6 +46,8 @@ def continuous_show
     # rubocop:enable Metrics/CyclomaticComplexity
 
     def thankyou
+      authorize @hbx_enrollment
+
       @context = {}
       params[:cart].each do |k, v|
         context = Organizers::PrepareForCheckout.call(params: v, person: @person, event: params[:event])
@@ -69,6 +72,8 @@ def thankyou
     end
 
     def checkout
+      authorize @hbx_enrollment
+
       @context = {}
       params.except("_method", "authenticity_token", "controller", "action", "waiver_context").each do |key, value|
         context = Organizers::Checkout.call(params: value, previous_enrollment_id: session[:pre_hbx_enrollment_id])
@@ -103,6 +108,8 @@ def checkout
     end
 
     def receipt
+      authorize @hbx_enrollment
+
       @context = {}
       params.except("_method", "authenticity_token", "controller", "action", "waiver_context").each do |key, value|
         context = Organizers::Receipt.call(params: value, previous_enrollment_id: session[:pre_hbx_enrollment_id])
@@ -124,6 +131,8 @@ def receipt
     end
 
     def waiver_thankyou
+      authorize @hbx_enrollment
+
       # TODO: Use permit params
       attrs = params.permit!.to_h.deep_symbolize_keys
       enr_details = attrs.slice(:health, :dental)
@@ -150,6 +159,8 @@ def waiver_thankyou
     end
 
     def waiver_checkout
+      authorize @hbx_enrollment
+
       @context = {}
       params.except("_method", "authenticity_token", "controller", "action").each do |key, value|
         context = Organizers::WaiveEnrollment.call(hbx_enrollment_id: value[:enrollment_id], waiver_reason: value[:waiver_reason])
@@ -201,8 +212,6 @@ def set_hbx_enrollment
       @hbx_enrollment = HbxEnrollment.find(params[:cart][:health][:id]) if params[:cart] && params[:cart][:health]
       @hbx_enrollment = HbxEnrollment.find(params[:dental][:enrollment_id]) if params[:dental]
       @hbx_enrollment = HbxEnrollment.find(params[:cart][:dental][:id]) if params[:cart] && params[:cart][:dental]
-
-      authorize @hbx_enrollment, :complete_plan_shopping?
     end
 
     def sanatize_params(param)

diff --git a/app/policies/hbx_enrollment_policy.rb b/app/policies/hbx_enrollment_policy.rb
@@ -51,6 +51,18 @@ def complete_plan_shopping?
     create?
   end
 
+  def continuous_show?
+    create?
+  end
+
+  def waiver_thankyou?
+    create?
+  end
+
+  def waiver_checkout?
+    create?
+  end
+
   private
 
   # # Returns the family associated with the current enrollment.

diff --git a/spec/controllers/insured/shop/product_shoppings_controller_spec.rb b/spec/controllers/insured/shop/product_shoppings_controller_spec.rb
@@ -125,7 +125,7 @@
 
         get :continuous_show, params: params
         expect(response).to redirect_to(root_path)
-        expect(flash[:error]).to eq("Access not allowed for hbx_enrollment_policy.complete_plan_shopping?, (Pundit policy)")
+        expect(flash[:error]).to eq("Access not allowed for hbx_enrollment_policy.continuous_show?, (Pundit policy)")
       end
     end
 
@@ -188,7 +188,7 @@
 
         get :thankyou, params: params
         expect(response).to redirect_to(root_path)
-        expect(flash[:error]).to eq("Access not allowed for hbx_enrollment_policy.complete_plan_shopping?, (Pundit policy)")
+        expect(flash[:error]).to eq("Access not allowed for hbx_enrollment_policy.thankyou?, (Pundit policy)")
       end
     end
   end
@@ -232,7 +232,7 @@
 
         post :checkout, params: params
         expect(response).to redirect_to(root_path)
-        expect(flash[:error]).to eq("Access not allowed for hbx_enrollment_policy.complete_plan_shopping?, (Pundit policy)")
+        expect(flash[:error]).to eq("Access not allowed for hbx_enrollment_policy.checkout?, (Pundit policy)")
       end
     end
   end
@@ -270,7 +270,7 @@
 
         get :receipt, params: params
         expect(response).to redirect_to(root_path)
-        expect(flash[:error]).to eq("Access not allowed for hbx_enrollment_policy.complete_plan_shopping?, (Pundit policy)")
+        expect(flash[:error]).to eq("Access not allowed for hbx_enrollment_policy.receipt?, (Pundit policy)")
       end
     end
   end
@@ -310,7 +310,7 @@
 
         get :waiver_thankyou, params: params
         expect(response).to redirect_to(root_path)
-        expect(flash[:error]).to eq("Access not allowed for hbx_enrollment_policy.complete_plan_shopping?, (Pundit policy)")
+        expect(flash[:error]).to eq("Access not allowed for hbx_enrollment_policy.waiver_thankyou?, (Pundit policy)")
       end
     end
 
@@ -385,7 +385,7 @@
 
         post :waiver_checkout, params: params
         expect(response).to redirect_to(root_path)
-        expect(flash[:error]).to eq("Access not allowed for hbx_enrollment_policy.complete_plan_shopping?, (Pundit policy)")
+        expect(flash[:error]).to eq("Access not allowed for hbx_enrollment_policy.waiver_checkout?, (Pundit policy)")
       end
     end
   end